/cc @carlocab @ryandesign

Homebrew Project Leader here 👋🏻

Can't speak to specific settings myself but the two principles Homebrew generally adheres to are:

• matching Apple defaults, when Apple ships the software themselves
• minimising dependencies when they can be provided by the system instead (and aren't grossly insecure/outdated)

I'm not @ryandesign (who maintains curl in MacPorts), but I can still chime in on the current situation:

• Our default is to use curl-ca-bundle (which really is the Mozilla CA bundle)
• We have an alternative provider for $prefix/share/curl/curl-ca-bundle.crt called certsync, which is a daemon that exports the macOS trust store into a file and watches it for changes. (Its source code is at https://github.com/macports/macports-ports/blob/master/security/certsync/files/certsync.m). To a certain extent, this setup therefore already makes curl use the system CA store, but that's a non-default config.
• We can't get rid of the Mozilla CA bundle anyway, since many ports now depend on it, so it doesn't really make a difference for us whether curl still uses it.

That being said, it would yield better integration into the system to use Apple's trust store, so I'd be in favor of switching the default. We'd likely keep this off for older operating systems because Apple no longer updates their CA stores and a few enthusiasts like running them anyway.

PR #18703 is now available which implements verification via Apple's SecTrust service for OpenSSL(-like) and GnuTLS. This is enabled via

> configure --with-apple-sectrust
> cmake  -DUSE_APPLE_SECTRUST=ON

The other --with-ca-* remain valid, meaning one could mix these. The intention is to have only SecTrust configured on platforms where it is available.

Important to mention that this serves as the default in libcurl (and thus curl) when nothing else is specified at runtime. Examples:

# uses Apple SecTrust
macos> curl https://example.com

# uses *only* certs from file.pem
macos> curl --cacert file.pem https://example.com

# uses *both* certs from file.pem and SecTrust
macos> curl --ca-native --cacert file.pem https://example.com

Ok, the feature is merged for the upcoming release 8.17.0 on November 5. Write a small blog post about it: https://eissing.org/icing/posts/curl-apple-sectrust/

/cc @ryandesign @carlocab feedback appreciated.